Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
4
Helpful
6
Replies

NAC Appliance with AD SSO issue

nitass
Level 1
Level 1

‎12-04-2008 02:13 AM - edited ‎02-21-2020 03:08 AM

Hi,

I'm testing NAC Appliance with AD SSO. The SSO seems to be Ok. Anyway, users'll be prompted with agent login dialog if they don't login to the AD. In addition, they can't pass the authentication even if they use the correct credential. How can I discard this dialog? I'd like to force them to login to the AD. Please advice.

Thanks,

Nitass

0 Helpful
6 Replies 6

nasim_nasri
Level 1
Level 1

‎12-12-2008 09:56 PM

the system (PC/Laptop) is already joined the domain.?

0 Helpful

nitass
Level 1
Level 1
In response to nasim_nasri

‎12-13-2008 07:33 PM

Sorry I misunderstood. Actually, there are 2 authentication servers. One is Kerberos and the other one is AD SSO. Both are pointed to the same domain controller. The reason I created the Kerberos is for allowing user to login through web login for downloading agent at the first time. After that, AD SSO will be used for authenticating.

Anyway, the problem is if user, laptop, does not login to the domain, the agent dialog will display and still allow user to login via the Kerberos. I do not want thing like this. How can I do? Please advice.

Thanks,

Nitass

0 Helpful

Craig Hyps
Level 10
Level 10

‎12-18-2008 01:03 PM

Nitass,

If you only wish to allow AD logins, then AD SSO should be attempted first which it sounds like it is. If for any reason SSO fails for a user, then you can configure an authentication server that uses Kerberos (AD) or LDAP. This can be same server used for AD SSO, but needs to be a separate authentication server which can be enabled for the user login page. The user login page can have the allowed options which can include one or more auth servers.

Regards,

chyps

0 Helpful

nitass
Level 1
Level 1
In response to Craig Hyps

‎12-18-2008 10:51 PM

Hi Chyps,

Would it be possible to use an authentication server (i.e. kerberos) for web login only? I do not want that authentication server to be used by clean access agent in case SSO fails.

Thanks and regards,

Nitass

0 Helpful

Craig Hyps
Level 10
Level 10
In response to nitass

‎12-19-2008 08:52 AM

The auth server options selected on the user login page are configurable to a specific VLAN or operating system, so it would be possible to have different auth servers selected for Windows and say Linux/MAC users, but for users that map to same login page, both Web auth and agent-based users (including AD SSO users) will see the same auth server list.

/chyps

nitass
Level 1
Level 1
In response to Craig Hyps

‎12-20-2008 03:13 AM

Hi Chyps,

Thanks. It seems that it could not be possible to only enable Kerberos auth server for web auth (and disable the same Kerberos auth server for agent based).

Thanks again,

Nitass

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card